1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00

test: ignore IAB capabilities in test-execute

libcap v2.33 introduces a new capability set called IAB[0] which is shown
in the output of `capsh --print` and interferes with the test checks. Let's
drop the IAB set from the output, for now, to mitigate this.

This could be (and probably should be) replaced in the future by the
newly introduced testing options[1][2] in libcap v2.32, namely:
    --has-p=xxx
    --has-i=xxx
    --has-a=xxx

but this needs to wait until the respective libcap version gets a wider
adoption. Until then, let's stick with the relatively ugly sed.

Fixes: #15046

[0] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=943b011b5e53624eb9cab4e96c1985326e077cdd
[1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=588d0439cb6495b03f0ab9f213f0b6b339e7d4b7
[2] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=e7709bbc1c4712f2ddfc6e6f42892928a8a03782
This commit is contained in:
Frantisek Sumsal 2020-03-09 11:00:58 +01:00
parent 908055f61f
commit e9cdcbed77
9 changed files with 18 additions and 18 deletions

View File

@ -2,7 +2,7 @@
Description=Test for CapabilityBoundingSet Description=Test for CapabilityBoundingSet
[Service] [Service]
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output # sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep "^Bounding set .*cap_chown"' ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"'
Type=oneshot Type=oneshot
CapabilityBoundingSet=~CAP_CHOWN CapabilityBoundingSet=~CAP_CHOWN

View File

@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=no
[Service] [Service]
PrivateDevices=no PrivateDevices=no
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output # sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod' ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
Type=oneshot Type=oneshot

View File

@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
[Service] [Service]
PrivateDevices=no PrivateDevices=no
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output # sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio' ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
Type=oneshot Type=oneshot

View File

@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=yes
[Service] [Service]
PrivateDevices=yes PrivateDevices=yes
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output # sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod' ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
Type=oneshot Type=oneshot

View File

@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
[Service] [Service]
PrivateDevices=yes PrivateDevices=yes
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output # sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio' ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
Type=oneshot Type=oneshot

View File

@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=no
[Service] [Service]
ProtectKernelLogs=no ProtectKernelLogs=no
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output # sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog' ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
Type=oneshot Type=oneshot

View File

@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=yes
[Service] [Service]
ProtectKernelLogs=yes ProtectKernelLogs=yes
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output # sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog' ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
Type=oneshot Type=oneshot

View File

@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE ProtectKernelModules=no
[Service] [Service]
ProtectKernelModules=no ProtectKernelModules=no
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output # sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module' ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
Type=oneshot Type=oneshot

View File

@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
[Service] [Service]
ProtectKernelModules=yes ProtectKernelModules=yes
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output # sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module' ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
Type=oneshot Type=oneshot